CLMasters

CLMasters is the developer alias associated with a malicious Google Chrome extension, “CL Suite by @CLMasters” (Chrome Web Store ID: jkphinfhmfkckkcnifhjiplhfoiefffl), which masquerades as a Meta Business Suite/Facebook Business Manager utility (e.g., scraping data, removing verification pop-ups, generating 2FA codes) but covertly exfiltrates sensitive authentication and business data. The extension requests broad host access to meta.com and facebook.com and, despite privacy-policy claims that 2FA secrets and Business Manager data remain local, transmits Facebook/Meta TOTP seeds and current one-time codes, Business Manager “People” CSV exports (names, emails, roles/permissions, access status), and Business Manager analytics/intelligence (Business Manager IDs/names, linked ad accounts, connected pages/assets, and billing/payment configuration details). Exfiltration is sent to attacker-controlled infrastructure at getauth[.]pro (notably /api/telemetry.php and /api/validate.php) using a hardcoded bearer token, with an option to forward the same payloads to a Telegram channel via /api/telegram_notify.php. The extension also collects telemetry/fingerprinting data including tab URLs, user agent, OS, timestamps, and public IP (via api.ipify.org). Reporting notes the extension does not steal passwords directly, but stolen TOTP seeds can neutralize 2FA and enable account takeover when combined with passwords obtained elsewhere (e.g., infostealer logs/credential dumps), and the risk can persist after uninstall because seeds and exported business intelligence remain with the actor. The extension was first uploaded March 1, 2025 (last updated March 6, 2025) and had a low install base (reported as ~28–33 users). Associated developer infrastructure includes clmasters[.]pro (privacy policy “Meta Business Suite Tools”) and contact emails info@clmasters[.]pro and privacy@clmasters[.]pro.